Chapter 14 

Number Theory 



Number theory is the study of the integers. YJhy anyone would want to study the 
integers is not immediately obvious. First of all, what's to know? There's 0, there's 
1, 2, 3, and so on, and, oh yeah, -1, -2, — Which one don't you understand? Sec- 
ond, what practical value is there in it? The mathematician G. H. Hardy expressed 
pleasure in its impracticality when he wrote: 

[Number theorists] may be justified in rejoicing that there is one sci- 
ence, at any rate, and that their own, whose very remoteness from or- 
dinary human activities should keep it gentle and dean. 

Hardy was specially concerned that number theory not be used in warfare; he 
was a pacifist. You may applaud his sentiments, but he got it wrong: Number 
Theory imderlies modern cr5^tography, which is what makes seciire online com- 
munication possible. Secure communication is of course crucial in war — ^which 
may leave poor Hardy spinning in his grave. It's also central to online commerce. 
Every time you buy a book from Amazon, check your grades on WebSIS, or use a 
PayPal accoun.t, you are relying on number theoretic algorithms. 

14.1 Divisibility 

Since we'll be focussing on properties of the integers, we'll adopt the defaiilt con- 
vention in this chapter that variables range over integers, Z. 

The nature of niraiber theory emerges as soon as we consider the divides relation 

a divides h iff ak = b for some k. 

The notation, a | 6, is an abbreviation for "a divides b." If a | 6, then we also say that 
6 is a multiple of a. A consequence of this definition is that every number divides 
zero. 

This seems simple enough, but let's play with this definition. The Pythagore- 
ans, an ancient sect of mathematical mystics, said that a number is perfect if it equals 
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the sum of its positive integral divisors, excluding itself. For example, 6 = 1 + 2 + 3 
and 28= 1 + 2 + 4+ 7+14 are perfect numbers. On the other hand, 10 is not 
perfect because 1 + 2 + 5 = 8, and 12 is not perfect because 1 + 2 + 3 + 4 + 6 = 16. 
Euclid characterized all the even perfect numbers around 300 BC. But is there an 
odd perfect number? More than two thousand years later, we still don't know! All 
numbers up to about 10^°° have been ruled out, but no one has proved that there 
isn't an odd perfect number waiting just over the horizon. 

So a half -page into number theory, we've strayed past the outer limits of human 
knowledge! This is pretty t5^ical; nirmber theory is full of questions that are easy 
to pose, but incredibly difficult to answer. Interestingly, we'll see that computer 
scientists have found ways to turn some of these difficulties to their advantage. 

Don't Panic — ^we're going to stick to some relatively benign parts of niraiber 
theory. We rarely put any of these super-hard imsolved problems on exams :-) 

14.1.1 Facts About Divisibility 

The lemma below states some basic facts about divisibility that are not difficult to 
prove: 

Lemma 14.1.1. The following statements about divisibility hold. 

1. If a\h, then a \ be for all c. 

2. Ifa\b and b \ c, then a \ c. 

3. Ifa\b and a \ c, then a\ sb + tcfor all s and t. 

4. For all c 0, a \ b if and only if ca \ cb. 

Proof. We'll prove only part 2.; the other proofs are similar. 

Proof of 2.: Since a \ b, there exists an integer ki such that aki = b. Since b \ c, 
there exists an integer k2 such that bk2 = c. Substituting aki for b in the second 
equation gives {aki)k2 = c. So a{kik2) = c, which implies that a \ c. 



A number p > 1 with no positive divisors other than 1 and itself is called a 
prime. Every other number greater than 1 is called composite. For example, 2, 3, 5, 
7, 11, and 13 are all prime, but 4, 6, 8, and 9 are composite. Because of its special 
properties, the number 1 is considered to be neither prime nor composite. 
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Famous Problems in Number Theory 

Fermat's Last Theorem Do there exist positive integers x, y, and z such that 

.t" + = z" 

for some integer n > 2? In a book he was reading around 1630, Fermat 
claimed to have a proof, but not enough space in the margin to write it down. 
Wnes finally gave a proof of the theorem in 1994, after seven years of working 
in secrecy and isolation in his attic. His proof did not fit in any margin. 

Goldbach Conjecture Is every even integer greater than two equal to the sum of 
two primes? For example, 4 = 2 + 2, 6 = 3 + 3, 8 = 3 + 5, etc. The conjecture 
holds for all numbers up to 10^®. In 1939 Schnirelman proved that every even 
number can be written as the sum of not more than 300,000 primes, which 
was a start. Today, we know that every even number is the sum of at most 6 
primes. 

Twin Prime Conjecture Are there infinitely many primes p such that p + 2 is also 
a prime? In 1966 Chen showed that there are infinitely many primes p such 
that p + 2 is the product of at most two primes. So the conjecture is known to 
be almost true! 

Primality Testing Is there an efficient way to determine whether n is prime? A 
naive search for factors of n takes a number of steps proportional to y^, 
which is exponential in the size of n in decimal or binary notation. All known 
procedures for prime checking blew up like this on various inputs. Finally in 
2002, an amazingly simple, new method was discovered by Agrawal, Kayal, 
and Saxena, which showed that prime testing only required a pol5momial 
number of steps. Their paper began with a quote from Gauss emphasizing 
the importance and antiquity of the problem even in his time — two centuries 
ago. So prime testing is definitely not in the category of infeasible problems 
requiring an exponentially growing number of steps in bad cases. 

Factoring Given the product of two large primes n = pq, is there an efficient way 
to recover the primes p and q? The best known algorithm is the "number 
field sieve", which runs in time proportional to: 

gl.9(liin)^/3(lnlnn)2/3 

This is infeasible when n has 300 digits or more. 
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14.1.2 When Divisibility Goes Bad 

As you learned in elementary school, if one number does not evenly divide an- 
other, you get a "quotient" and a "remainder" left over. More precisely: 

Theorem 14.1.2 (Division Theorem). ^ Let n and d be integers such that d > 0. Then 
there exists a unique pair of integers q and r, such that 

n = q- d + r AND < r < d. (14.1) 

The number q is called the quotient and the number r is called the remainder of ri 
divided by d. We use the notation qcnt(n, d) for the quotient and iem{n, d) for the 
remainder. 

For example, qcnt(2716, 10) = 271 and rem(2716, 10) = 6, since 2716 = 271 • 
10 + 6. Similarly, reni(— 11, 7) = 3, since —11 — (—2) -7+3. There is a remainder 
operator built into many programming languages. For example, the expression 
"32 % 5" evaluates to 2 in Java, C, and C++. However, all these languages treat 
negative numbers strangely. 

We'll take this familiar Division Theorem for granted without proof. 

14.1.3 Die Hard 

We've previously looked at the Die Hard water jug problem with jugs of sizes 3 
and 5, and 3 and 9. A little number theory lets us solve all these silly water jug 
questions at once. In particular, it will be easy to figure out exactly which amounts 
of water can be measured out using jugs with capacities a and b. 

Finding an Invariant Property 

Suppose that we have water jugs with capacities a and b with b > a. The state of 
the system is described below with a pair of numbers {x, y), where x is the amount 
of water in the jug with capacity a and y is the amount in the jug with capacity b. 
Let's carry out sample operations and see what happens, assuming the fo-jug is big 
enough: 



(0,0) ^ (a,0) 




fill first jug 


^(0,a) 




pour first into second 


(a, a) 




fill first jug 


(2a- 


b,b) 


pour first into second (assuming 2a > b) 


(2a- 


6,0) 


empty second jug 


(0,2a 


-6) 


pour first into second 


(a, 2a 


-b) 


fill first 


(3a- 


2b, b) 


pour first into second (assuming 3a > 26) 



^This theorem is often called the "Division Algorithm," even though it is not what we would call an 
algorithm. 
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What leaps out is that at every step, the amount of water in each jug is of the form 

s-a + t-b (14.2) 

for some integers s and t. An expression of the form (14.2) is called an integer linear 
combination of a and b, but in this chapter we'll just call it a linear combination, since 
we're only talking integers. So we're suggesting: 

Lemma 14.1.3. Suppose that we have water jugs with capacities a and b. Then the amount 
of water in each jug is always a linear combination of a and b. 

Lemma 14.1.3 is easy to prove by induction on the number of pourings. 

Proof. The induction hypothesis, P{n), is the proposition that after n steps, the 

amount of water in each jug is a linear combination of a and b. 

Base case: (n = 0). P(0) is true, because both jugs are initially empty, and • a + • 

6 = 0. 

Inductive step. We assume by induction hypothesis that after n steps the amount 
of water in each jug is a linear combination of a and b. There are two cases: 

• If we fill a jug from the fountain or empty a jug into the fountain, then that jug 
is empty or full. The amount in the other jug remains a linear combination of 
a and b. So P{n + 1) holds. 

• Otherwise, we pour water from one jug to another until one is empty or the 
other is full. By our assumption, the amoimt in each jug is a linear combina- 
tion of a and b before we begin pouring: 

ji^ si- a + ti-b 
j2 = S2 ■ a + t2 ■ b 

After pouring, one jug is either empty (contains gallons) or full (contains a 
or b gallons). Thus, the other jug contains either ji +j2 gallons, ji +j2 — a, or 
ji +j2 — b gallons, all of which are linear combinations of a and b. So P{n+1) 
holds in this case as well. 

So in any case, P{n + 1) follows, completing the proof by induction. ■ 

This theorem has an important corollary: 

Corollary 14.1.4. Bruce dies. 

Proof. In Die Hard 6, Bruce has water jugs with capacities 3 and 6 and must form 
4 gallons of water. However, the amount in each jug is always of the form 3s + 6t 
by Lemma 14.1.3. This is always a multiple of 3 by Lemma 14.1.1.3, so he cannot 
measure out 4 gallons. ■ 

But Lemma 14.1.3 isn't very satisfying. We've just managed to recast a pretty 
understandable question about water jugs into a complicated question about linear 
combinations. This might not seem like progress. Fortunately, linear combinations 
are closely related to something more familiar, namely greatest common divisors, 
and these will help us solve the water jug problem. 
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14.2 The Greatest Common Divisor 

We've already examined the Euclidean Algorithm for computing gcd(a, &), the 
greatest coiranon divisor of a and b. This quantity tiims out to be a very valu- 
able piece of information about the relationship between a and b. We'll be making 
arguments about greatest common divisors all the time. 

14.2.1 Linear Combinations and the GCD 

The theorem below relates the greatest common divisor to linear combinations. 
This theorem is very useful; take the time to un.derstand it and then remember it! 

Theorem 14.2.1. The greatest common divisor of a and b is equal to the smallest positive 
linear combination of a and b. 

For example, the greatest common divisor of 52 and 44 is 4. And, suxe enough, 
4 is a linear combination of 52 and 44: 

6 • 52 + (-7) • 44 = 4 

Fiirthermore, no linear combination of 52 and 44 is equal to a smaller positive 
integer. 

Proof. By the Well Ordering Principle, there is a smallest positive linear combi- 
nation of a and b; call it m. We'll prove that m = gcd(a, b) by showing both 
gcd(a, b) < m and m < gcd(a, b). 

First, we show that gcd(a, b) < m. Now any common divisor of a and b — that 
is, any c such that c | a and c | b — will divide both sa and tb, and therefore also 
divides sa + tb. The gcd(o, b) is by definition a common divisor of a and b, so 

gcd(a, b)\sa + tb (14.3) 

every s and t. In particular, gcd(a, b) \ m, which implies that gcd(a, b) < m. 

Now, we show that m < gcd(a, 6). We do this by showing that m \ a. A 
symmetric argument shows that m | b, which means that m is a common divisor 
of a and b. Thus, m must be less than or equal to the greatest common divisor of a 
and b. 

All that remains is to show that m | a. By the Division Algorithm, there exists a 
quotient q and remainder r such that: 

a = q ■ m + r (where < r < m) 

Recall that m = sa + tb for some integers s and t. Substituting in for m gives: 

a = q - {sa + tb) + r, so 
r = (1 — qs)a + {—qt)b. 

We've just expressed r as a linear combination of a and b. However, m is the 
smallest positive linear combination and < r < m. The only possibility is that 
the remainder r is not positive; that is, r = 0. This implies m\ a. ■ 
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Corollary U.l.l. An integer is linear combination of a and b iff it is a multiple of 
gcd(a, b). 

Proof. By (14.3), every linear combination of a and 6 is a multiple of gcd(a, b). Con- 
versely, since gcd(a, b) is a linear combination of a and b, every multiple of gcd(a, b) 
is as well. ■ 

Now we can restate the water jugs lemma in terms of the greatest common 
divisor: 

Corollary 14.2.3. Suppose that we have water jugs with capacities a and b. Then the 
amount of water in each jug is always a multiple o/gcd(a, b). 

For example, there is no way to form 2 gallons using 1247 and 899 gallon jugs, 
because 2 is not a multiple of gcd(1247, 899) = 29. 

14.2.2 Properties of the Greatest Common Divisor 

We'll often make use of some basic gcd facts: 

Lemma 14.2.4. The following statements about the greatest common divisor hold: 

1. Every common divisor of a and b divides gcd(a, b). 

2. gcd{ka, kb) ~ k ■ gcd(a, b)for all k > 0. 

3. I/gcd(a, b) — I and gcd(a, c) = 1, then gcd(a, be) — 1. 

4. If a \ be and gcd(a, b) = 1, then a \ c. 

5. gcd(a, b) — gcd(6, rem(a, b)). 

Here's the trick to proving these statements: translate the gcd world to the lin- 
ear combination world using Theorem 14.2.1, argue about linear combinations, 
and then translate back using Theorem 14.2.1 again. 

Proof. We prove only parts 3. and 4. 

Proof of 3. The assumptions together with Theorem 14.2.1 imply that there 
exist integers s, t, u, and v such that: 

3a-\- tb = 1 
ua + vc~ 1 

Multiplying these two equations gives: 

(sa + tb){ua + vc) — 1 

The left side can be rewritten as a ■ {asu + btu + csv) + bc{tv). This is a linear 
combination of a and be that is equal to 1, so gcd(a, be) = 1 by Theorem 14.2.1. 
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Proof of 4. Theorem 14.2.1 says that gcd(ac, be) is equal to a linear combination 
of ac and be. Now a \ ac trivially and a | 6c by assumption. Therefore, a divides 
every linear combination of ac and be. In particular, a divides god (ac, be) — e ■ 
gcd(a, &) = c • 1 = c. The first equality uses part 2. of this lemma, and the second 
uses the assumption that gcd(a, 6) = 1. ■ 

Lemma 14.2.4.5 is the preserved invariant from Lemma 9.1.7 that we used to 
prove partial correctness of the Euclidean Algorithm. 

Now let's see if it's possible to make 3 gallons using 21 and 26-gallon jugs. 
Using Euclid's algorithm: 

gcd(26, 21) = gcd(21, 5) = gcd(5, 1) = 1. 

Now 3 is a multiple of 1, so we can't rule out the possibility that 3 gallons can be 
formed. On the other hand, we don't know it can be done. 

14.2.3 One Solution for All Water Jug Problems 

Can Bruce form 3 gallons using 21 and 26-gallon jugs? This question is not so easy 
to answer without some number theory. 

Corollary 14.2.2 says that 3 can be written as a linear combination of 21 and 26, 
since 3 is a multiple of gcd(21, 26) = 1. In other words, there exist integers s and t 
such that: 

3 = s-21 + i-26 

We don't know what the coefficients s and t are, but we do know that they exist. 

Now the coefficient s could be either positive or negative. However, we can 
readily transform this linear combination into an equivalent linear combination 

3 = s' ■21 + t' ■ 26 (14.4) 

where the coefficient s' is positive. The trick is to notice that if we increase s by 
26 in the original equation and decrease i by 21, then the value of the expression 
s • 21 + < • 26 is unchanged overall. Thus, by repeatedly increasing the value of s 
(by 26 at a time) and decreasing the value of t (by 21 at a time), we get a linear 
combination s' • 21 + 1' • 26 = 3 where the coefficient s' is positive. Notice that then 
t' must be negative; otherwise, this expression would be much greater than 3. 

Now here's how to form 3 gallons using jugs with capacities 21 and 26: 

Repeat s' tunes: 

1. Fill the 21-gallon jug. 

2. Pour all the water in the 21-gallon jug into the 26-gallon jug. Whenever the 
26-gallon jug becomes full, empty it out. 

At the end of this process, we must have have emptied the 26-gallon jug exactly 
\t'\ times. Here's why: we've taken s' ■ 21 gallons of water from the fountain, and 
we've poured out some multiple of 26 gallons. If we emptied fewer than \t'\ times. 
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then by (14.4), the big jug would be left with at least 3 + 26 gallons, which is more 
than it can hold; if we emptied it more times, the big jug would be left containing 
at most 3 — 26 gallons, which is nonsense. But once we have emptied the 26-gallon 
jug exactly \t'\ times, equation (14.4) implies that there are exactly 3 gallons left. 

Remarkably, we don't even need to know the coefficients s' and t' in order to 
use this strategy! Instead of repeating the outer loop s' times, we could just repeat 
until we obtain 3 gallons, since that must happen eventually. Of course, we have to 
keep track of the amounts rn the two jugs so we know when we're done. Here's 
the solution that approach gives: 



fill 21 

> 


(21,0) 


pour 21 into 26 
> 


(0,21) 










fill 21 


(21,21) 


pour 21 into 26 


(16,26) 


empty 26 


(16,0) 


pour 21 into 26 

> 


(0,16) 


fill 21 

> 


(21,16) 


pour 21 into 26 

— — ^ 


(11,26) 


empty 26 

- — - - - — > 


(11,0) 


pour 21 into 26 

— — — ¥ 


(0,11) 


fill 21 

> 


(21,11) 


pour 21 into 26 
> 


(6,26) 


empty 26 
» 


(6,0) 


pour 21 into 26 

> 


(0,6) 


fill 21 


(21,6) 


pour 21 into 26 


(1,26) 


empty 26 


(1,0) 


pour 21 into 26 


(0,1) 


fill 21 


(21,1) 


pour 21 into 26 


(0,22) 










fill 21 

> 


(21,22) 


pour 21 into 26 

— — ^ 


(17,26) 


empty 26 
— - - - — > 


(17,0) 


pour 21 into 26 

- — ____ > 


(0,17) 


fill 21 


(21,17) 


pour 21 into 26 


(12,26) 


empty 26 


(12,0) 


pour 21 into 26 


(0, 12) 


fill 21 


(21,12) 


pour 21 into 26 


(7,26) 


empty 26 


(7,0) 


pour 21 into 26 


(0,7) 


fill 21 

> 


(21,7) 


pour 21 into 26 
> 


(2,26) 


empty 26 

— — — > 


(2,0) 


pour 21 into 26 

- — — > 


(0,2) 


fill 21 

> 


(21,2) 


pour 21 into 26 
> 


(0,23) 










fill 21 


(21,23) 


pour 21 into 26 


(18,26) 


empty 26 


(18,0) 


pour 21 into 26 


(0, 18) 


fill 21 


(21,18) 


pour 21 into 26 


(13,26) 


empty 26 


(13,0) 


pour 21 into 26 


(0, 13) 


fill 21 

> 


(21,13) 


pour 21 into 26 
> 


(8,26) 


empty 26 

> 


(8,0) 


pour 21 into 26 

^ 


(0,8) 


fill 21 


(21,8) 


pour 21 into 26 


(3,26) 


empty 26 


(3,0) 


pour 21 into 26 
> 


(0,3) 



The same approach works regardless of the jug capacities and even regardless 
the amount we're trying to produce! Simply repeat these two steps until the de- 
sired amount of water is obtained: 

1. Fill the smaller jug. 

2. Pour all the water in the smaller jug into the larger jug. Whenever the larger 
jug becomes full, empty it out. 

By the same reasoning as before, this method eventually generates every mul- 
tiple of the greatest common divisor of the jug capacities — all the quantities we 
can possibly produce. No ingenuity is needed at all! 
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14.2.4 The Pulverizer 

We saw that no matter which pair of integers a and b we are given, there is always 
a pair of integer coefficients s and t such that 

gcd(a, b) — sa + tb. 

The previous subsection gives a roundabout and not very efficient method of find- 
ing such coefficients s and t. In Chapter 9.1.3 we defined and verified the "Ex- 
tended Euclidean CCD algorithm," which is a much more efficient way to find 
these coefficients. In this section we finally explain where the obscure procedure 
in Chapter 9.1.3 came from by describing it in a way that dates to sixth-century 
India, where it was called kuttak, which means "The Pulverizer." 

Suppose we use Euclid's Algorithm to compute the GCD of 259 and 70, for 
example: 

gcd(259,70) = gcd(70,49) since rem(259, 70) = 49 

= gcd(49, 21) since rcm(70, 49) = 21 

= gcd(21, 7) since rem(49, 21) = 7 

= gcd(7, 0) since rem(21, 7) = 

= 7. 

The Pulverizer goes through the same steps, but requires some extra bookkeeping 
along the way: as we compute gcd(a, b), we keep track of how to write each of 
the remainders (49, 21, and 7, in the example) as a linear combination of a and b 
(this is worthwhile, because our objective is to write the last nonzero remainder, 
which is the GCD, as such a linear combination). For our example, here is this 
extra bookkeeping: 

X y (rcm(a;, y)) = x — q ■ y 

^59 70 49 = 259 - 3 • 70 

70 49 21 = 70 - 1 • 49 

= 70 - 1 • (259 - 3-70) 

= -1 •259 + 4-70 

49 21 7 = 49- 2-21 



(259 - 3 - 70) - 2 - (-1 - 259 + 4 - 70) 



3 - 259 - 11 - 70 



21 



We began by initializing two variables, x = a and y = 6. In the first two columns 
above, we carried out Euclid's algorithm. At each step, we computed reni(a;, y), 
which can be written in the form x — q - y. (Remember that the Division Algorithm 
says X = q-y+r, where r is the remainder. We get r = x—q-yhy rearranging terms.) 
Then we replaced x and y in this equation with equivalent linear combinations of 
a and 6, which we already had computed. After simplifying, we were left with a 
linear combination of a and b that was equal to the remainder as desired. The final 
solution is boxed. 
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14.2.5 Problems 

Class Problems 
Problem 14.1. 

A number is perfect if it is equal to the sum of its positive divisors, other than itself. 
For example, 6 is perfect, because 6=1 + 2 + 3. Similarly, 28 is perfect, because 
28 = 1 + 2 + 4 + 7 + 14. Explain why 2''-'^ {2'' - 1) is perfect when 2'^' - 1 is prime.^ 



Problem 14.2. (a) Use the Pulverizer to find integers x, y such that 

a;-50 + y21 = gcd(50,21). 

(b) Now find integers x' , y' with y' > such that 

• 50 + y' • 21 = gcd(50, 21) 



Problem 14.3. 

For nonzero integers, a, b, prove the following properties of divisibility and CCD'S. 
(You may use the fact that gcd(a, b) is an integer linear combination of a and b. You 
may not appeal to uniqueness of prime factorization because the properties below 
are needed to prove unique factorization.) 

(a) Every common divisor of a and b divides gcd(a, b). 

(b) If a I 6c and gcd(a, b) ~ 1, then a \ c. 

(c) Up \ ab for some prime, p, then p \ a or p \ b. 

(d) Let m be the smallest integer linear combination of a and b that is positive. 
Show that TO = gcd(a, 5). 

14.3 The Fundamental Theorem of Arithmetic 

We now have almost enough tools to prove something that you probably already 
know. 

Theorem 14.3.1 (Fundamental Theorem of Arithmetic). Every positive integer n can 
be written in a unique way as a product of primes: 

n = Pi-P2---Pj [pi <P2 < ■ ■ ■ <Pj) 

^Euclid proved this 2300 years ago. About 250 years ago, Euler proved the 
converse: every even perfect number is of this form (for a simple proof see 
http://primes.utm.edu/notes/proofs/EvenPerfect.html). As is typical in number 
theory, apparently simple results lie at the brink of the unknown. For example, it is not known if there 
are an mfinite number of even perfect numbers or any odd perfect numbers at all. 
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Notice that the theorem would be false if 1 were considered a prime; for exam- 
ple, 15 could be written as 3 • 5 or 1 • 3 • 5 or 1^ • 3 • 5. Also, we're relying on a standard 
convention: the product of an empty set of numbers is defined to be 1, much as the 
sum of an empty set of numbers is defined to be 0. Without this convention, the 
theorem would be false for n = 1. 

There is a certain wonder in the Fundamental Theorem, even if you've known 
it since you were in a crib. Primes show up erratically in the sequence of integers. 
In fact, their distribution seems almost random: 

2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, . . . 

Basic questions about this sequence have stumped humanity for centuries. And 
yet we know that every natural number can be built up from primes in exactly one 
way. These quirky numbers are the building blocks for the integers. The Funda- 
mental Theorem is not hard to prove, but we'll need a couple of preliminary facts. 

Lemma 14.3.2. Ifp is a prime and p \ ab, then p\ aor p\ b. 

Proof. The greatest common divisor of a and p must be either 1 or p, since these are 
the only positive divisors of p. If gcd(a, p) = p, then the claim holds, because a is a 
multiple of p. Otherwise, gcd(a,p) = 1 and so p | & by Lemma 14.2.4.4. ■ 

A routine induction argument extends this statement to: 
Lemma 14.3.3. Let pbea prime. Ifp \ aia2 - ■ ■ a„, then p divides some ai. 
Now we're ready to prove the Fundamental Theorem of Arithmetic. 

Proof. Theorem 2.4.1 showed, using the Well Ordering Principle, that every posi- 
tive integer can be expressed as a product of primes. So we just have to prove this 
expression is unique. We will use Well Ordering to prove this too. 

The proof is by contradiction: assume, contrary to the claim, that there exist 
positive integers that can be written as products of primes in more than one way. 
By the Well Ordering Principle, there is a smallest integer with this property. Call 
this integer n, and let 

n^Pi-p2---Pj 

= gi ■ 92 • • ■ g/c 

be two of the (possibly many) ways to write n as a product of primes. Then pi \ n 
and so pi \ qiq2 ■ ■ ■ qk- Lemma 14.3.3 implies that pi divides one of the primes qi. 
But since qi is a prime, it must be that pi = g^. Deleting pi from the first product 
and qi from the second, we find that n/pi is a positive integer smaller than n that 
can also be written as a product of primes in two distinct ways. But this contradicts 
the definition of n as the smallest such positive integer. ■ 
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The Prime Number Theorem 



Let tt{x) denote the number of primes less than or equal to x. For example, 7r(10) = 
4 because 2, 3, 5, and 7 are the primes less than or equal to 10. Primes are very 
irregularly distributed, so the growth of tt is similarly erratic. However, the Prime 
Number Theorem gives an approximate answer: 

lim 



x/ lux 



Thus, primes gradually taper off. As a rule of thumb, about 1 integer out of every 
In X in the vicinity of a; is a prime. 

The Prime Number Theorem was conjectured by Legendre in 1798 and proved a 
century later by de la Vallee Poussin and Hadamard in 1896. However, after his 
death, a notebook of Gauss was found to contain the same conjecture, which he 
apparently made in 1791 at age 15. (You sort of have to feel sorry for all the other- 
wise "great" mathematicians who had the misfortune of being contemporaries of 
Gauss.) 

In late 2004 a billboard appeared in various locations around the country: 



first 10-digit prime found 
in consecutive digits of e 



com 



Substituting the correct number for the expression in curly-braces produced the 
URL for a Google employment page. The idea was that Google was interested in 
hiring the sort of people that could and would solve such a problem. 

How hard is this problem? Would you have to look through thousands or millions 
or billions of digits of e to find a 10-digit prime? The rule of thumb derived from 
the Prime Number Theorem says that among 10-digit numbers, about 1 in 

InlQio w 23 

is prime. This suggests that the problem isn't really so hard! Sure enough, the first 
10-digit prime in consecutive digits of e appears quite early: 

e =2.718281828459045235360287471352662497757247093699959574966 
9676277240766303535475945713821785251664274274663919320030 
599218174135966290435729003342952605956307381323286279434 . . . 
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14.3.1 Problems 

Class Problems 

Problem 14.4. (a) Let m = 29524ll7i7i2 and n = 237221121113I179192. what is the 
gcd(m, n)? What is the least common multiple, lcm(m, n), of m and n? Verify that 

gcd(TO, n) ■ lcm(TO, n) = mn. (14.5) 

(b) Describe in general how to find the gcd(m, n) and lcm(m, n) from the prime 
factorizations of m and n. Conclude that equation (14.5) holds for all positive inte- 
gers m, n. 



14.4 Alan Turing 



Photograph removed due to copyright restrictions. 
A similar photograph can be seen 

here: http://en.wikipedia.0rg/wiki/File:Alan_Turing_ph0t0.jpg. 



The man pictured above is Alan Turing, the most important figure in the history 
of computer science. For decades, his fascinating life story was shrouded by gov- 
ernment secrecy, societal taboo, and even his own deceptions. 

At age 24, Turing wrote a paper entitled On Computable Numbers, with an Ap- 
plication to the Entscheidungsproblem. The crux of the paper was an elegant way to 
model a computer in mathematical terms. This was a breakthrough, because it al- 
lowed the tools of mathematics to be brought to bear on questions of computation. 
For example, with his model in hand, Turing immediately proved that there exist 
problems that no computer can solve — no matter how ingenious the programmer. 
Turing's paper is all the more remarkable because he wrote it in 1936, a full decade 
before any electronic computer actually existed. 

The word "Entscheidungsproblem" in the title refers to one of the 28 mathe- 
matical problems posed by David Hilbert in 1900 as challenges to mathematicians 
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of the 20th century. Turing knocked that one off in the same paper. And perhaps 
you've heard of the "Church-Turing thesis"? Same paper. So Turing was obviously 
a brilliant guy who generated lots of amazing ideas. But this lecture is about one 
of Turing's less-amazing ideas. It involved codes. It involved number theory. And 
it was sort of stupid. 

Let's look back to the fall of 1937. Nazi Germany was rearming under Adolf 
Hitler, world-shattering war looked imminent, and — like us — Alan Turing was 
pondering the usefulness of number theory. He foresaw that preserving military 
secrets would be vital in the coming conflict and proposed a way to encrypt com- 
munications using number theory. This is an idea that has ricocheted up to our own 
time. Today, number theory is the basis for numerous public-key cryptosystems, 
digital signature schemes, cr5rptographic hash fvmctions, and electronic payment 
systems. Furthermore, military funding agencies are among the biggest investors 
in crjrptographic research. Sorry Hardy! 

Soon after devising his code, Turing disappeared from public view, and half a 
century would pass before the world learned the full story of where he'd gone and 
what he did there. We'll come back to Turing's life in a little while; for now, let's 
investigate the code Turing left behind. The details are uncertain, since he never 
formally published the idea, so we'U consider a couple of possibilities. 

14.4.1 Turing's Code (Version 1.0) 

The first challenge is to translate a text message into an integer so we can perform 
mathematical operations on it. This step is not intended to make a message harder 
to read, so the details are not too important. Here is one approach: replace each 
letter of the message with two digits {A = Q1, B = 02, C — 03, etc.) and string all 
the digits together to form one huge number. For example, the message "victory" 
could be translated this way: 

"victor y" 
^ 22 09 03 20 15 18 25 

Turing's code requires the message to be a prime number, so we may need to pad 
the result with a few more digits to make a prime. In this case, appending the 
digits 13 gives the number 2209032015182513, which is prime. 

Now here is how the encryption process works. In the description below, m 
is the unencoded message (which we want to keep secret), m* is the encrypted 
message (which the Nazis may intercept), and k is the key. 

Beforehand The sender and receiver agree on a secret key, which is a large prime 
k. 

Encryption The sender encrypts the message m by computing: 

m* = m- k 



288 



CHAPTER 14. NUMBER THEORY 



Decryption The receiver decrypts m* by computing: 




m ■ k 



k 



= m 



For example, suppose that the secret key is the prime number k = 22801763489 
and the message m is "victory". Then the encrypted message is: 



There are a couple of questions that one might naturally ask about Turing's 
code. 

1. How can the sender and receiver ensure that m and k are prime numbers, as 
required? 

The general problem of determining whether a large number is prime or 
composite has been studied for centuries, and reasonably good primality 
tests were known even in Turing's time. In 2002, Manindra Agrawal, Neeraj 
Kayal, and Nitin Saxena announced a primality test that is guaranteed to 
work on a number n in about (logn)^^ steps, that is, a number of steps 
bounded by a twelfth degree pol5momial in the length (in bits) of the in- 
put, n. This definitively places primality testing way below the problems 
of exponential difficulty. Amazingly, the description of their breakthrough 
algorithm was only thirteen lines long! 

Of course, a twelfth degree polynomial grows pretty fast, so the Agrawal, et 
al. procedure is of no practical use. Still, good ideas have a way of breeding 
more good ideas, so there's certainly hope further improvements wiU lead 
to a procediire that is useful in practice. But the truth is, there's no practi- 
cal need to improve it, since very efficient probabilistic procedures for prime- 
testing have been known since the early 1970's. These procedures have some 
probability of giving a wrong answer, but their probability of being wrong is 
so tiny that relying on their answers is the best bet you'll ever make. 

2. Is Turing's code secure? 

The Nazis see only the encrypted message m* = m • A;, so recovering the 
original message m requires factoring m*. Despite immense efforts, no really 
efficient factoring algorithm has ever been found. It appears to be a funda- 
mentally difficult problem, though a breakthrough someday is not impossi- 
ble. In effect, Turing's code puts to practical use his discovery that there are 
limits to the power of computation. Thus, provided m and k are sufficiently 
large, the Nazis seem to be out of luck! 



m* = m, ■ k 



= 2209032015182513 • 22801763489 



= 50369825549820718594667857 



This all sounds promising, but there is a major flaw in Turing's code. 
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14.4.2 Breaking Turing's Code 

Let's consider what happens when the sender transmits a second message using 
Turing's code and the same key. This gives the Nazis two encr5^ted messages to 
look at: 

m* = mi • fc and m2 = m2 ■ k 

The greatest common divisor of the two encrjrpted messages, ml and TOj, is the 
secret key k. And, as we've seen, the GCD of two numbers can be computed very 
efficiently. So after the second message is sent, the Nazis can recover the secret key 
and read every message! 

It is difficult to believe a mathematician as brilliant as Turing could overlook 
such a glaring problem. One possible explanation is that he had a slightly different 
system in mind, one based on modular arithmetic. 

14.5 Modular Arithmetic 

On page 1 of his masterpiece on number theory, Disquisitiones Arithmeticae, Gauss 
introduced the notion of "congruence". Now, Gauss is another guy who managed 
to cough up a half-decent idea every now and then, so let's take a look at this one. 
Gauss said that a is congruent to b modulo n iff n | (a — 6). This is written 

a = b (mod n). 

For example: 

29 = 15 (mod 7) because 7 | (29 - 15). 
There is a close connection between congruences and remainders: 
Lemma 14.5.1 (Congruences and Remainders). 

a = b (mod n) iff rem(a, n) = rcm(6, n). 

Proof. By the Division Theorem, there exist imique pairs of integers qi , ri and q2, r2 
such that: 

a = qiTi + ri where < ri < n, 

6 = q2n + r2 where < r2 < n. 

Subtracting the second equation from the first gives: 

a — b= {qi — q2)n + (ri — r2) where —n < ri — r2 < n. 

Now a = b (mod n) if and only if n divides the left side. This is true if and only 
if n divides the right side, which holds if and only if ri — r2 is a multiple of n. 
Given the bounds on n — r2, this happens precisely when ri = r2, that is, when 
rem(a, n) = rem(6, n). ■ 
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So we can also see that 

29 = 15 (mod 7) because reni(29, 7) = 1 = reni(15, 7). 

This formulation explains why the congruence relation has properties like an equal- 
ity relation. Notice that even though (mod 7) appears over on the right side the = 
symbol, it isn't any more strongly associated with the 15 than with the 29. It would 
really be clearer to write 29 = mod 7 15 for example, but the notation with the mod- 
ulus at the end is firmly entrenched and we'll stick to it. 

We'll make frequent use of the following immediate Corollary of Lemma 14.5.1: 

Corollary 14.5.2. 

a = rem(a, n) (mod n) 

Still another way to think about congruence modulo n is that it defines a partition 
of the integers into n sets so that congruent numbers are all in the same set. For example, 
suppose that we're working modulo 3. Then we can partition the integers into 3 
sets as follows: 

{ -6, -3, 0, 3, 6, 9, ... } 

{ -5, -2, 1, 4, 7, 10, ... } 

{ -4, -1, 2, 5, 8, 11, ... } 

according to whether their remainders on division by 3 are 0, 1, or 2. The upshot 
is that when arithmetic is done modulo n there are really only n different kinds 
of numbers to worry about, because there are only n possible remainders. In this 
sense, modular arithmetic is a simplification of ordinary arithmetic and thus is a 
good reasoning tool. 

There are many useful facts about congruences, some of which are listed in the 
lemma below. The overall theme is that congruences work a lot like equations, though 
there are a couple of exceptions. 



Lemma 14.5.3 (Facts About Congruences). The following hold for n > 1: 



1. 


a 


= a (mod 


n) 




2. 


a 


= b (mod 


n) implies b = a (mod n) 




3. 


a 


= 6 (mod 


n) and b = c (mod n) implies a = 


c (mod n) 


4. 


a 


= b (mod 


n) implies a + c = b + c (mod n) 




5. 


a 


= b (mod 


n) implies ac = be (mod n) 




6. 


a 


= 6 (mod 


n) and c = d (mod n) imply a + c 


= b + d (mod n) 


7. 


a 


= 6 (mod 


n) and c = d (mod n) imply ac = 


bd (mod n) 
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Proof. Parts 1.-3. follow immediately from Lemma 14.5.1. Part 4. follows immedi- 
ately from the definition that a = b (mod n) iff n \ (a — 6). Likewise, part 5. follows 
because ii n \ (a — 6) then it divides {a b)c — ac ~ be. To prove part 6., assume 

a = b (mod n) (14.6) 

and 

c = d (modn). (14.7) 

Then 





- c = 


&H 


- c 


(mod 


n) 


(by part 4. and (14.6)), 


cH 


-6 = 


d- 




(mod 


n) 


(by part 4. and (14.7)), so 




- c = 


6H 


-d 


(mod 


n) 


and therefore 




- c = 


6H 


-d 


(mod 


n) 


(by part 3.) 



Part 7. has a similar proof. ■ 



14.5.1 Turing's Code (Version 2.0) 

In 1940 France had fallen before Hitler's army, and Britain alone stood against the 
Nazis in western Europe. British resistance depended on a steady flow of sup- 
plies brought across the north Atlantic from the United States by convoys of ships. 
These convoys were engaged in a cat-and-mouse game with German "U-boats" — 
submarines — which prowled the Atlantic, trying to sink supply ships and starve 
Britain into submission. The outcome of this struggle pivoted on a balance of in- 
formation: could the Germans locate convoys better than the Allies could locate 
U-boats or vice versa? 
Germany lost. 

But a critical reason behind Germany's loss was made public only in 1974: Ger- 
many's naval code. Enigma, had been broken by the Polish Cipher Bureau (see 
http : //en . wikipedia . org/wik;i/Polish_Cipher_Bureau) and the secret 
had been turned over to the British a few weeks before the Nazi invasion of Poland 
in 1939. Throughout much of the war, the Allies were able to route convoys around 
German submarines by listening in to German communications. The British gov- 
ernment didn't explain how Enigma was broken until 1996. When it was finally 
released (by the US), the story revealed that Alan Turing had joined the secret 
British codebreakrng effort at Bletchley Park in 1939, where he became the lead 
developer of methods for rapid, bulk decryption of German Enigma messages. 
Turing's Enigma deciphering was an invaluable contribution to the Allied victory 
over Hitler. 

Governments are always tight-lipped about cryptography, but the half -century 
of official silence about Turing's role in breaking Enigma and saving Britain may 
be related to some disturbing events after the war 

Let's consider an alternative interpretation of Turing's code. Perhaps we had 
the basic idea right (multiply the message by the key), but erred in using conven- 
tional arithmetic instead of modular arithmetic. Maybe this is what Turing meant: 
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Beforehand The sender and receiver agree on a large prime p, which may be made 
public. (This will be the modulus for all our arithmetic.) They also agree on 
a secret key A; e {1, 2, . . . ,p — 1}. 

Encryption The message m can be any integer in the set {0, 1, 2, ... ,p — 1}; in par- 
ticular, the message is no longer required to be a prime. The sender encrypts 
the message m to produce m* by computing: 

m* = rem(mfc,p) (14.8) 

Decryption (Uh-oh.) 

The decryption step is a problem. We might hope to decrypt in the same way 
as before: by dividing the encrypted message m* by the key k. The difficulty is 
that m* is the remainder when mk is divided by p. So dividing m* by k might not 
even give us an integer! 

This decoding difficiilty can be overcome with a better understanding of arith- 
metic modiilo a prime. 

14.5.2 Problems 
Class Problems 

Problem 14.5. 

The following properties of equivalence mod n follow directly from its definition 
and simple properties of divisibility. See if you can prove them without looking 
up the proofs in the text. 

(a) If a = 6 (mod n), then ac = be (mod n). 

(b) If a = 6 (mod n) and b = c (mod n), then a = c (mod n). 

(c) If a = 6 (mod n) and c= d (mod n), then ac = bd (mod n). 

(d) rem(a,n) = a (mod n). 



Problem 14.6. (a) Why is a number written in decimal evenly divisible by 9 if and 
only if the sum of its digits is a multiple of 9? Hint: 10 = 1 (mod 9). 

(b) Take a big number, such as 37273761261. Sum the digits, where every other 
one is negated: 

3 + (-7) + 2 + (-7) + 3 + (-7) + 6 + (-1) + 2 + (-6) + 1 = -11 

Explain why the original number is a multiple of 11 if and only if this sum is a 
multiple of 11. 
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Problem 14.7. 

At one time, the Guinness Book of World Records reported that the "greatest hu- 
man calciilator" was a guy who could compute 13th roots of 100-digit niraibers 
that were powers of 13. What a curious choice of tasks 

(a) Prove that 

d^^ = d (mod 10) (14.9) 

for < < 10. 

(b) Now prove that 

n^^ = n (mod 10) (14.10) 

for all n. 

14.6 Arithmetic with a Prime Modulus 
14.6.1 Multiplicative Inverses 

The multiplicative inverse of a number x is another number x~^ such that: 

X ■ x~^ = 1 

Generally, multiplicative inverses exist over the real numbers. For example, the 
multiplicative inverse of 3 is 1/3 since: 




The sole exception is that does not have an inverse. 

On the other hand, inverses generally do not exist over the integers. For exam- 
ple, 7 can not be multiplied by another integer to give 1. 

Surprisingly, multiplicative inverses do exist when we're working modulo a 
prime number. For example, if we're working modiilo 5, then 3 is a multiplicative 
inverse of 7, since: 

7-3 = 1 (mod 5) 

(All numbers congruent to 3 modulo 5 are also multiplicative inverses of 7; for 
example, 7-8 = 1 (mod 5) as well.) The only exception is that numbers congruent 
to modiilo 5 (that is, the miiltiples of 5) do not have inverses, much as does not 
have an inverse over the real numbers. Let's prove this. 

Lemma 14.6.1. If p is prime and k is not a multiple of p, then k has a multiplicative 
inverse. 

Proof. Since p is prime, it has only two divisors: 1 and p. And since k is not a 
multiple of p, we must have gcd(p, k) = 1. Therefore, there is a linear combination 
of p and k equal to 1: 

sp + tk= 1 
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Rearranging terms gives: 

sp = I — tk 

This implies that p \ {1 — tk) by the definition of divisibility, and therefore tk = 1 
(mod p) by the definition of congruence. Thus, < is a multiplicative inverse of k. ■ 

Multiplicative inverses are the key to decryption in Turing's code. Specifically, 
we can recover the original message by multiplying the encoded message by the 
inverse of the key: 

m* ■ k^^ = rcm{mk,p) ■ k~^ (the def. (14.8) of m*) 

= {mk)k^^ (mod p) (by Cor. 14.5.2) 

= m (mod p) . 

This shows that m*k^^ is congruent to the original message m. Since m was in 
the range 0, 1, ... ,p — 1, we can recover it exactly by taking a remainder: 

TO = rem(TO*fc^^,p) 

So now we can decr5^t! 



14.6.2 Cancellation 

Another sense in which real numbers are nice is that one can cancel multiplicative 
terms. In other words, if we know that rriik = m2fc, then we can cancel the fc's and 
conclude that mi = to2, provided k ^ 0. In general, cancellation is not valid in 
modular arithmetic. For example, 

2 -3 = 4- 3 (mode), 

cancelling the 3's leads to the false conclusion that 2 = 4 (mod 6). The fact that 
multiplicative terms can not be cancelled is the most significant sense in which 
congruences differ from ordinary equations. However, this difference goes away 
if we're working modulo a prime; then cancellation is valid. 

Lemma 14.6.2. Suppose p is a prime and k is not a multiple of p. Then 
ak = bk (mod p) IMPLIES a = b (modp). 
Proof. Multiply both sides of the congruence by fc^ ^ . ■ 

We can use this lemma to get a bit more insight into how Turing's code works. 
In particular, the encryption operation in Turing's code permutes the set of possible 
messages. This is stated more precisely in the following corollary. 

Corollary 14.6.3. Suppose p is a prime and k is not a multiple of p. Then the sequence: 



rem((l • fc),p), rem((2 • fc),p), rem(((p - 1) • fc) ,p) 
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is a permutation^ of the sequence: 

1, 2, 

Proof. The sequence of remainders contains p — 1 numbers. Since i-k\s not divisible 
by p for i = 1, . . .p — 1, all these remainders are in the range 1 to p — 1 by the 
definition of remainder. Furthermore, the remainders are all different: no two 
numbers in the range 1 to p — 1 are congruent modulo p, and by Lemma 14.6.2, 
i ■ k = j ■ k (mod p) if and only if i = j (mod p). Thus, the sequence of remainders 
must contain all of the numbers from 1 to p — 1 in some order. ■ 

For example, suppose p = 5 and fc = 3. Then the sequence: 

rem((l • 3),5), rem((2 • 3), 5), rem((3 • 3), 5), rem((4-3),5) 

V ' " V ' " V ' " V ' 

=3 =1 =4 =2 

is a permutation of 1, 2, 3, 4. As long as the Nazis don't know the secret key fc, 
they don't know how the set of possible messages are permuted by the process of 
encryption and thus can't read encoded messages. 



14.6.3 Fermat's Little Theorem 

A remaining challenge in using Turing's code is that decryption requires the in- 
verse of the secret key fc. An effective way to calculate fc^^ follows from the proof 
of Lemma 14.6.1, namely 

k^^ — rem{t,p) 

where s, t are coefficients such that sp + tk = 1. Notice that t is easy to find using 
the Pulverizer. 

An alternative approach, about equally efficient and probably more memo- 
rable, is to rely on Fermat's Little Theorem, which is much easier than his famous 
Last Theorem. 

Theorem 14.6.4 (Fermat's Little Theorem). Suppose p is a prime and fc is not a multiple 
of p. Then: 

fcP-i = 1 (mod p) 

■'a permutation of a sequence of elements is a sequence with ttie same elements (including repeats) 
possibly in a different order. More formally, if 

e ::= ei, 62, . . . , e„ 

is a length n sequence, and tt : {1, . . . , n} — + {1, . . . , n} is a bijection, then 

is a permutation of e. 
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Proof. We reason as follows: 

(p-l)!::=1.2...(p-l) 

= rem(fc,p) • rem{2k,p) ■ ■ ■ rem((p — l)k,p) (by Cor 14.6.3) 

= k-2k---{p~l)k (mod p) (by Cor 14.5.2) 

= (p — 1)! • k^^^ (mod p) (rearranging terms) 

Now (p— 1 ) ! is not a multiple of p because the prime factorizations of 1 , 2 , . . . , {p— 
1) contain only primes smaller than p. So by Lemma 14.6.2, we can cancel (p — 1)! 
from the first and last expressions, which proves the claim. ■ 

Here is how we can find inverses using Fermat's Theorem. Suppose p is a prime 
and k is not a multiple of p. Then, by Fermat's Theorem, we know that: 

. fc = 1 (mod p) 

Therefore, fc^^^ must be a multiplicative inverse of k. For example, suppose that 
we want the multiplicative inverse of 6 modulo 17. Then we need to compute 
rem(6^^, 17), which we can do by successive squaring. All the congruences below 
hold modulo 17. 

36 = 2 

(6^)2 = 2^ ee4 
(6^)2 = 42 = 16 
6* • 6"^ • 6^ • 6 = 16 • 4 • 2 • 6 EE 3 

Therefore, rem(6^^, 17) = 3. Sure enough, 3 is the multiplicative inverse of 6 mod- 
ulo 17, since: 

3-6=1 (mod 17) 

In general, if we were working modulo a prime p, finding a multiplicative in- 
verse by trying every value between 1 and p—l would require about p operations. 
However, the approach above requires only about logp operations, which is far 
better when p is large. 

14.6.4 Breaking Turing's Code — Again 

The Germans didn't bother to encrypt their weather reports with the highly-secure 
Enigma system. After all, so what if the Allies learned that there was rain off the 
south coast of Iceland? But, amazingly, this practice provided the British with a 
critical edge in the Atlantic naval battle during 1941. 

The problem was that some of those weather reports had originally been trans- 
mitted using Enigma from U-boats out in the Atlantic. Thus, the British obtained 
both unencrypted reports and the same reports encrypted with Enigma. By com- 
paring the two, the British were able to determine which key the Germans were 



6^ = 
6^ = 
6« = 
6^5 = 
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using that day and could read all other Enigma-encoded traffic. Today, this would 
be called a known-plaintext attack. 

Let's see how a known-plaintext attack would work against Turing's code. Sup- 
pose that the Nazis know both m and m* where: 

m* = nik (mod p) 

Now they can compute: 

m^"^ • m* = mP^^ ■ Tein{mk,p) (def. (14.8) of m*) 

= m^~^ • m,k (mod p) (by Cor 14.5.2) 
= mF~^ ■ k (mod p) 

= k (mod p) (Fermat's Theorem) 

Now the Nazis have the secret key k and can decrypt any message! 

This is a huge vulnerability, so Turing's code has no practical value. Fortu- 
nately, Turing got better at cryptography after devising this code; his subsequent 
deciphering of Enigma messages surely saved thousands of lives, if not the whole 
of Britain. 

14.6.5 Turing Postscript 

A few years after the war, Turing's home was robbed. Detectives soon determined 
that a former homosexual lover of Turing's had conspired in the robbery. So they 
arrested him — that is, they arrested Alan Turing — ^because homosexuality was 
a British crime punishable by up to two years in prison at that time. Turing was 
sentenced to a hormonal "treatment" for his homosexuality: he was given estrogen 
injections. He began to develop breasts. 

Three years later, Alan Turing, the founder of computer science, was dead. His 
mother explained what happened in a biography of her own son. Despite her 
repeated warnings, Turing carried out chemistry experiments in his own home. 
Apparently, her worst fear was realized: by working with potassium cyanide while 
eating an apple, he poisoned himself. 

However, Turing remained a puzzle to the very end. His mother was a de- 
voutly religious woman who considered suicide a sin. And, other biographers 
have pointed out, Turing had previously discussed committing suicide by eating 
a poisoned apple. Evidently, Alan Turing, who founded computer science and 
saved his country, took his own life in the end, and in just such a way that his 
mother could believe it was an accident. 

Turing's last project before he disappeared from public view in 1939 involved 
the construction of an elaborate mechanical device to test a mathematical conjec- 
ture called the Riemann Hypothesis. This conjecture first appeared in a sketchy 
paper by Berhard Riemann in 1859 and is now one of the most famous unsolved 
problem in mathematics. 
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The Riemann Hypothesis 



The formula for the sum of an infinite geometric series says: 

I — X 

Substituting x = ^, x = ^, x = ^, and so on for each prime number gives a 
sequence of equations: 
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etc. 



Multiplying together all the left sides and all the right sides gives: 

±-' n f— 



n—1 pGprimes 



The sum on the left is obtained by multiplying out all the infinite series and apply- 
ing the Fundamental Theorem of Arithmetic. For example, the term 1 /300* in the 
sum is obtained by multiplying 1/22* f j-qj^ f jj-gj- equation by 1 /3* in the second 
and 1 752" in the third. Riemann noted that every prime appears in the expression 
on the right. So he proposed to learn about the primes by studying the equiva- 
lent, but simpler expression on the left. In particular, he regarded s as a complex 
number and the left side as a function, C{s). Riemann found that the distribution 
of primes is related to values of s for which ({s) = 0, which led to his famous 
conjecture: 



The Riemann Hypothesis: Every nontrivial zero of the zeta function ({s) 
lies on the line s = 1/2-1- d in the complex plane. 



Researchers continue to work intensely to settle this conjecture, as they have for 
over a century. A proof would immediately imply among other things, a strong 
form of the Prime Number Theorem — and earn the prover a $1 million prize! 
(We're not sure what the cash would be for a counter-example, but the discoverer 
woiild be wildly applauded by mathematicians everywhere.) 
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14.6.6 Problems 
Class Problems 
Problem 14.8. 

Two nonparallel lines in the real plane intersect at a point. Algebraically, this 
means that the equations 

y = mix + bi 
y = m2X + b2 

have a unique solution {x,y), provided rrii^ m.2- This statement would be false if 
we restricted x and y to the integers, since the two lines could cross at a noninteger 
point: 



However, an analogous statement holds if we work over the integers modulo a 
prime, p. Find a solution to the congruences 

y = m.ix + hi (mod p) 
y = m2X + 62 (mod p) 

when mi ^ 1712 (mod p). Express your solution in the form x =? (mod p) and 
y =? (mod p) where the ?'s denote expressions involving mi, m2, 61, and 62. You 
may find it helpful to solve the original equations over the reals first. 



Problem 14.9. 

Let Sk = l'^ + 2'= + ... + (p-l)'^, where p is an odd prime and fc is a positive multiple 
oip— 1. Use Fermat's theorem to prove that 5"^ = — 1 (mod p). 

Homework Problems 

Problem 14.10. (a) Use the Pulverizer to find the inverse of 13 modulo 23 in the 

range {1, . . . ,22}. 

(b) Use Fermat's theorem to find the inverse of 13 modulo 23 in the range {1 , . . . , 22}. 

14.7 Arithmetic with an Arbitrary Modulus 

Turing's code did not work as he hoped. However, his essential idea — using num- 
ber theory as the basis for cryptography — succeeded spectacularly in the decades 
after his death. 
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In 1977, Ronald Rivest, Adi Shamir, and Leonard Adleman at MIT proposed a 
highly secure cryptosystem (called RS A) based on number theory. Despite decades 
of attack, no significant weakness has been found. Moreover, RSA has a major 
advantage over traditional codes: the sender and receiver of an encrypted mes- 
sage need not meet beforehand to agree on a secret key. Rather, the receiver has 
both a secret key, which she guards closely, and a public key, which she distributes 
as widely as possible. The sender then encrypts his message using her widely- 
distributed public key. Then she decrypts the received message using her closely- 
held private key. The use of such a public key cryptography system allows you and 
Amazon, for example, to engage in a secure transaction without meeting up be- 
forehand in a dark alley to exchange a key. 

Interestingly, RSA does not operate modulo a prime, as Turing's scheme may 
have, but rather modulo the product of two large primes. Thus, we'll need to know 
a bit about how arithmetic works modulo a composite number in order to under- 
stand RSA. Arithmetic modulo an arbitrary positive integer is really only a little 
more painful than working modulo a prime — though you may think this is like 
the doctor saying, "This is only going to hurt a little," before he jams a big needle 
in your arm. 

14.7.1 Relative Primality and Phi 

First, we need a new definition. Integers a and b are relatively prime iff gcd(a, 6) = 1. 
For example, 8 and 15 are relatively prime, since gcd(8, 15) — 1. Note that, except 
for multiples of p, every integer is relatively prime to a prime number p. 

We'll also need a certain function that is defined using relative primality. Let n 
be a positive integer. Then ((){n) denotes the number of integers in {1, 2, . . . , n — 1} 
that are relatively prime to n. For example, 0(7) = 6, since 1, 2, 3, 4, 5, and 6 are all 
relatively prime to 7. Similarly, 0(12) = 4, since only 1, 5, 7, and 11 are relatively 
prime to 12. If you know the prime factorization of n, then computing 0(n) is a 
piece of cake, thanks to the following theorem. The function is known as Euler's 
(j) function; it's also called Euler's totient function. 

Theorem 14.7.1. The function cj) obeys the following relationships: 

(a) If a and b are relatively prime, then (j){ab) = (j){a)(j){b). 

(b) Ifp is a prime, then (j){p'') — p'^ — p'^^^ for k> 1. 

Here's an example of using Theorem 14.7.1 to compute 0(300): 



The proof of Theorem 14. 7.1. (a) requires a few more properties of modular 
arithmetic worked out in the next section (see Problem 14.15). We'll also give an- 
other a proof in a few weeks based on rules for counting things. 



0(300) = 0(2^ • 3 • 5^) 

= 0(22) . 0(3) • 0(5^) 

= (22-2i)(3i-3°)(5'-5i) 



(by Theorem 14.7.1. (a)) 
(by Theorem 14.7.1.(b)) 



= 80. 
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To prove Theorem 14. 7.1. (b), notice that every pth number among the num- 
bers in the interval from to p'^ — 1 is divisible by p, and only these are divisible 
by p. So 1/pth of these numbers are divisible by p and the remaining ones are not. 
That is, 

14.7.2 Generalizing to an Arbitrary Modulus 

Let's generalize what we know about arithmetic modulo a prime. Now, instead 
of working modulo a prime p, weTl work modulo an arbitrary positive integer 
71. The basic theme is that arithmetic modulo n may be complicated, but the in- 
tegers relatively prime to n remain fairly well-behaved. For example, the proof of 
Lemma 14.6.1 of an inverse for k modulo p extends to an inverse for k relatively 
prime to n: 

Lemma 14.7.2. Let nbea positive integer. Ifk is relatively prime to n, then there exists 
an integer k^^ such that: 

k ■ k^^ = 1 (mod n) 

As a consequence of this lemma, we can cancel a multiplicative term from both 
sides of a congruence if that term is relatively prime to the modulus: 

Corollary 14.7.3. Suppose n is a positive integer and k is relatively prime to n. If 

ak = bk (mod n) 

then 

a = b (mod n) 

This holds because we can multiply both sides of the first congruence by fc^^ 
and simplify to obtain the second. 

14.7.3 Euler's Theorem 

RSA essentially relies on Euler's Theorem, a generalization of Fermat's Theorem 
to an arbitrary modulus. The proof is much like the proof of Fermat's Theorem, 
except that we focus on integers relatively prime to the modulus. Let's start with 
a lemma. 

Lemma 14.7.4. Suppose n is a positive integer and k is relatively prime to n. Let ki, . . . ,kr 
denote all the integers relatively prime to n in the range Ito n — 1. Then the sequence: 

rem^ki ■ k , n) , TeT[i{k2 ■ k , n) , rem(/c3 • fc, n), ... ,rem(fcr-fc, n) 

is a permutation of the sequence: 

fci, k2, ... ^kj.. 
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Proof. We will show that the remainders in the first sequence are all distinct and 
are equal to some member of the sequence of kj's. Since the two sequences have 
the same length, the first must be a permutation of the second. 

First, we show that the remainders in the first sequence are all distinct. Suppose 
that rem{kik,n) ~ i-em{kjk,n). This is equivalent to kik = kjk (mod n), which 
implies ki = kj (mod n) by Corollary 14.7.3. This, in turn, means that fc,; — kj 
since both are between 1 and n — 1. Thus, none of the remainder terms in the first 
sequence is equal to any other remainder term. 

Next, we show that each remainder in the first sequence equals one of the ki. 
By assumption, gcd{ki, n) = 1 and gcd(fc, n) — 1, which means that 

gcd(rt, rem(fcifc, n)) — gcd{kik, n) (by Lemma 14.2.4.5) 

= 1 (by Lemma 14.2.4.3). 

Now rcm{kik, n) is in the range from to n — 1 by the definition of remainder, but 
since it is relatively prime to n, it is actually in the range to n — 1. The kj's are 
defined to be the set of all such integers, so rem(fcifc, n) must equal some kj. ■ 

We can now prove Euler's Theorem: 

Theorem 14.7.5 (Euler's Theorem). Suppose n is a positive integer and k is relatively 
prime to n. Then 

fc-^^") = 1 (mod n) 

Proof. Let ki, . . . ,kj. denote all integers relatively prime to n such that < ki < n. 
Then r = (pin), by the definition of the function (j). Now we can reason as follows: 

ki ■ k2 ■ ■ ■ kr 

= rem(A:i ■ k,n) ■ rem(A:2 ■ k,n) ■ ■ ■ rem(fcr • k, n) (by Lemma 14.7.4) 

= (fci • /c) • (/fca ■ fc) • ■ ■ • {kr ■ k) (mod n) (by Cor 14.5.2) 

= {ki ■ k2 ■ ■ ■ kr) ■ k^ (mod n) (rearranging terms) 

Lemma 14.2.4.3. implies that ki ■ k2 ■■■ kr is prime relative to n. So by Corol- 
lary 14.7.3, we can cancel this product from the first and last expressions. This 
proves the claim. ■ 

We can find multiplicative inverses using Euler's theorem as we did with Fer- 
mat's theorem: if k is relatively prime to n, then fc"^^")"^ is a multiplicative inverse 
of k modulo n. However, this approach requires computing (/)(n). Unfortunately, 
finding 4>{n) is about as hard as factoring n, and factoring is hard in general. How- 
ever, when we know how to factor n, we can use Theorem 14.7.1 to compute <j){n) 
efficiently. Then computing fc'^(")^i to find inverses is a competitive alternative to 
the Pulverizer. 
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14.7.4 RSA 

Finally, we are ready to see how the RSA public key encryption scheme works: 

RSA Public Key Encryption 

Beforehand The receiver creates a public key and a secret key as follows. 

1. Generate two distinct primes, p and q. 
1. Let n — pq. 

3. Select an integer e such that gcd(e, {p — l){q — 1)) = 1. 

The public key is the pair (e, n). This should be distributed widely. 

4. Compute d such that de = 1 (mod {p — l){q — 1)). 

The secret key is the pair {d, n). This should be kept hidden! 

Encoding The sender encrypts message m to produce m' using the public key: 

m! = rem(m'^, n). 

Decoding The receiver decrypts message m! back to message m using the secret 
key: 

m — rem((m')'^, n). 
We'll explain why this way of Decoding works in Problem 14.14. 

14.7.5 Problems 

Practice Problems 

Problem 14.11. (a) Prove that 22^^°"^ has a multiplicative inverse modulo 175. 

(b) What is the value of (/)(175), where is Euler's function? 

(c) What is the remainder of 22i200i divided by 175? 

Problem 14.12. (a) Use the Pulverizer to find integers s, t such that 

AQs + 7t = gcd(40,7). 

Show your work. 

(b) Adjust your answer to part (a) to find an inverse modulo 40 of 7 in the range 
{1,...,39}. 
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Class Problems 
Problem 14.13. 

Let's try out RSA! There is a complete description of the algorithm at the bottom 
of the page. You'll probably need extra paper. Check your work carefully! 

(a) As a team, go through the beforehand steps. 



• Choose prunes p and q to be relatively small, say in the range 10-40. In prac- 
tice, p and q might contain several hundred digits, but small numbers are 
easier to handle with pencil and paper. 

• Try e = 3, 5, 7, . . . imtil you find something that works. Use Euclid's algorithm 
to compute the gcd. 

• Find d (using the Pulverizer — see appendix for a reminder on how the Pul- 
verizer works — or Euler's Theorem). 



When you're done, put your public key on the board. This lets another team send 
you a message. 

(b) Now send an. encrypted message to another team using their public key. Select 
your message m from the codebook below: 



• 2 = Greetings and salutations! 

• 3 = Yo, wassup? 

• 4 = You guys are slow! 

• 5 = All your base are belong to us. 

• 6 = Someone on our team thinks someone on your team is kinda cute. 

• 7 = You are the weakest link. Goodbye. 



(c) Decrypt the message sent to you and verify that you received what the other 
team sent! 



RSA Public Key Encryption 
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Beforehand The receiver creates a public key and a secret key as follows. 

1. Generate two distinct primes, p and q. 

2. Let n = pq. 

3. Select an integer e such that gcd(e, {p — l)(q — 1)) = 1. 

The public key is the pair (e, n). This should be distributed widely. 

4. Compute d such that de = 1 (mod {p — l){q — 1)). 

The secret key is the pair (d, n). This should be kept hidden! 

Encoding The sender encrypts message m, where < to < n, to produce ra' using 
the public key: 

ni' = rcm(TO'^, n). 

Decoding The receiver decrypts message to' back to message to using the secret 
key: 

m — reni((TO')'^, n). 



Problem 14.14. 

A critical fact about RSA is, of course, that decrypting an encrypted message al- 
ways gives back the original message! That is, that rem{{m'^Y , pq) — m. This will 
follow from something slightly more general: 

Lemma 14.7.6. Let n be a product of distinct primes and a = 1 (mod (j){n)) for some 
nonnegative integer, a. Then 

m°- = m (mod n). (14.11) 

(a) Explain why Lemma 14.7.6 implies that k and have the same last digit. For 
example: 

f = 32 79^ = 3077056399 

Hint: What is (^(10)? 

(b) Explain why Lemma 14.7.6 implies that the original message, to, equals rcTii{{'m'^Y ,pq). 

(c) Prove that if p is prime, then 

= m (mod p) (14.12) 
for all nonnegative integers a = 1 (mod p — 1). 

(d) Prove that if n is a product of distinct primes, and a = b (mod p) for all prime 
factors, p, of n, then a = b (mod n) . 

(e) Combine the previous parts to complete the proof of Lemma 14.7.6. 
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Homework Problems 
Problem 14.15. 

Suppose m, n are relatively prime. In the problem you will prove the key property 
of Euler's function that (f){nin) — (f){m)4){n). 

(a) Prove that for any a, h, there is an x such that 

X = a (mod m), (14.13) 
x = h (mod n). (14.14) 

Hint: Congruence (14.13) holds iff 

X = jrn + a. (14.15) 
for some j. So there is such an x only if 

jm + a = b (mod n). (14.16) 

Solve (14.16) for j. 

(b) Prove that there is an x satisfying the congruences (14.13) and (14.14) such that 

< a: < mn. 

(c) Prove that the x satisfying part (b) is unique. 

(d) For an integer k, let k* be the integers between 1 and fc — 1 that are relatively 
prime to fc. Conclude from part (c) that the fimction 

: (mn) — > m x n 

defined by 

f{x) ::= (rem(x, m), rem(a;, n)) 

is a bijection. 

(e) Conclude from the preceding parts of this problem that 

(jj^mn) — (j){m)(j){n). 

Exam Problems 
Problem 14.16. 

Find the remainder of 26^*^i^i®i divided by 297. Hint: 1818181 = (180 • 10101) + 1; 
Euler's theorem 

Problem 14.17. 

Find an integer fc > 1 such that n and n'' agree in their last three digits whenever 
n is divisible by neither 2 nor 5. Hint: Euler's theorem. 
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